Vincent, the vLex AI assistant used by tens of thousands of legal teams and law firms worldwide, contains an AI-phishing vulnerability that attackers could exploit via hidden HTML code – all to steal users’ login credentials and potentially expose sensitive client files.
-
VLex legal AI assistant found vulnerable to prompt injection attacks hidden in documents, overlaying fake login pages on user browsers to steal credentials.
-
Attackers embed white-on-white invisible code in case files that trigger the execution of malicious HTML.
-
Vincent AI vulnerability exposed 200K+ law firms and vLex users across globe.
That’s according to PromptArmor researchers, who recently discovered the vLex vulnerability and published a new blog post about it on Monday.
Researchers say the hackers could exploit “Vincent,” the legal AI assistant “engineered for lawyers,” by embedding hidden text in documents that are unknowingly uploaded to the vLex platform by the firm’s legal teams, prompting the AI to output malicious HTML, which is then rendered in users’ browsers.
This indirect prompt injection introduces the risk of remote code execution (RCE), ultimately enabling “screen overlay” phishing attacks against unsuspecting vLex users.
A screen overlay attack is a “sophisticated technique” where a fake screen is placed over a legitimate app or website interface – in this case, a login page – to trick users into revealing sensitive information.
VLex is a “comprehensive legal intelligence platform” designed to help legal professionals “research, analyze, and practice law across every aspect of their work,” the company states.
Used by eight of the top ten global law firms, the AI-fueled platform was bought by Clio – the world’s leading legal tech solutions provider – in a landmark $1 billion deal just last month, pushing the number of law firms, bar associations, and governments using vLex well over 200,000.
“We responsibly disclosed this vulnerability to vLex,” says Shankar Krishnan, co-founder and managing director of PromptArmor, adding that the company took “fast, effective action,” and made “updates in alignment with our remediation recommendations.”
Malicious pop-ups can steal logins
PromptArmor says the novel RCE vulnerability could be manipulated by hackers to gain unauthorized access to law firms’ internal systems, potentially exposing large volumes of sensitive client documents.
Calling it a “three-step attack chain,” the researchers first used prompt injection to hide “white-on-white” text in documents sourced online, later uploaded by legal teams during case research.
In this specific case, the concealed text is embedded in the form of a fake witness quote. And, for this research, Vincent AI was instructed parse all direct quotes from the document.
But when "Vincent AI reads the document and parses out the ‘direct quotes’ – including the attacker’s fake quote written in white-on-white text,” the hidden attacker HTML code will automatically be executed by the victim’s browser.
“When this code is output in the chat, it is processed by the user’s browser as if it were part of the Vincent AI web page,” says Krishnan. "The malicious code retrieves the attacker’s website and overlays it on the user’s chat."
According to the blog, the attacker’s website mimics the vLex login screen, creating a convincing phishing pop-up that steals any credentials the user enters on the fake site.
Recommendations to harden vLex
The research also noted that the Vincent AI model could additionally be tricked into outputting malicious JavaScript "stored in Markdown hyperlinks or HTML elements."
This could enable attackers to steal data via zero-click exfiltration, hijack sessions, force file downloads, or mine cryptocurrency, with the attacks actually "executing each time the chat is opened," Krishnan said.
Session tokens could also be a risk for theft, further allowing attackers to “take actions on a user’s behalf in vLex” including accessing data held in the platform.
According to the blog, the attacker’s website mimics the vLex login screen, creating a convincing phishing pop-up that steals any credentials the user enters on the fake site.
PromptArmor suggest that organizations ensure any untrusted documents are clearly marked as such in the vLex system within Collections.
Have thoughts about this topic? Others do, too. Join them in the discussion.
Next, make sure to always configure the visibility permissions for any untrusted documents to “Only for individuals authorized” and not “For all organization.”
Finally, the AI security company says organizations should always prohibit users from uploading documents from unverified online sources.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked